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int *mem = malloc(sizeof(int)); 
free(mem) : 


printf("%d", *mem); 


fn main() { 
let mem = String::from(''Hello World"); 
let mut mem_ref = &men; 
i 
let new mem = String::from("Goodbye"); 
mem ref = ánew mem; 


println! ("name is {}", &mem ref); 


Compile a UAF toy 
example in Rust 


error[E0597]: "new mem does not live long enough 
--> Src/main.rs:6:20 
| 


6 | mem ref = new mem; 
| AAAAAAA borrowed value does not live long enough 
7 | 
| - "new mem' dropped here while still borrowed 
81 println!("name is {}", &mem ref); 
91 
| 


H 


borrowed value needs to live until here 
error: aborting due to previous error 


For more information about this error, try `rustc --explain E0597 . 
error: Could not compile `uaf `. 
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21. Appendix 


Unsafe Rust 


All the code we've discussed so far has had Rust's memory safety guarantees enforced at compile 
time. However, Rust has a second language hiding inside of it that does not enforce these memory 
safety guarantees: unsafe Rust. This works just like regular Rust, but gives you extra superpowers. 


Unsafe Rust exists because, by nature, static analysis is conservative. When the compiler is trying to 
determine if code upholds the guarantees or not, it's better for it to reject some programs that are 
valid than accept some programs that are invalid. That inevitably means there are some times when 
your code might be okay, but Rust thinks it's not! In these cases, you can use unsafe code to tell the 
compiler, “trust me, | know what l'm doing.” The downside is that you're on your own; if you get 
unsafe code wrong, problems due to memory unsafety, like null pointer dereferencing, can occur. 


There's another reason Rust has an unsafe alter ego: the underlying hardware of computers is 
inherently not safe. If Rust didn't let you do unsafe operations, there would be some tasks that you 
simply could not do. Rust needs to allow you to do low-level systems programming like directly 
interacting with your operating system, or even writing your own operating system! That's one of the 
goals of the language. Let's see what you can do with unsafe Rust, and how to do it. 


Unsafe Superpowers 


To switch into unsafe Rust we use the unsafe keyword, and then we can start a new block that 
holds the unsafe code. There are four actions that you can take in unsafe Rust that you can't in safe 
Rust that we call “unsafe superpowers.” Those superpowers are the ability to: 


1. Dereference a raw pointer 

2. Call an unsafe function or method 

3. Access or modify a mutable static variable 
4. Implement an unsafe trait 
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Rust 
static mut COUNTER: u32 = 0; 


fn add to count(inc: u32) í 
unsafe £ COUNTER += inc; } 


fn main() £ 
add to count(3); 


unsafe 1 println! ("COUNTER: {}", COUNTER); ን 
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unsafe fn dangerous() { 
let address = 0x012345usize; 
let r = address as *const 132; 


} 


fn main() { 
unsafe { dangerous(); } 
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extern "C" { 
fn abs(input: i32) -> 132; 


println! ("Absolute value of -3 according to C: 


{}", abs(-3)); 
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unsafe fn dangerous() { 
let address = 0x012345usize; 
let r = address as *const 132; 


} 


fn safe_function() { 
unsafe { dangerous(); } 
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fn main { 
safe function(); 
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cargo build -vv 


e [|] verbose 0000 ion shell. 


: "cc" "-00" "-ffunction-sections" "-fdata-sections" 
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"/Users/mssun/Repos/ion/target/debug/build/decimal- 
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Rust 


extern crate rusqlite; 
use rusqlite::Connection; 


fn main() { 
let conn = Connection::open in memorv().unwrap(); 
match conn.execute("create virtual table a using fts3(b);", &[]) + 
If sun 
} 


match conn.execute("insert into a values (x'4141414141414141');", &[]) { 
// ... 


} 
match conn.query_row("SELECT HEX(a) FROM a", &[], |row| -> String 
{ row.get(0) }) { 
// ... 
} 


match conn.query_row("SELECT optimize(b) FROM a", &[], |row| -> String 
{ row.get(0) }) { 
Lf was 
} 


Run 
$ cargo run 
Finished dev [unoptimized + debuginfo] target(s) in 0.05 secs 
Running target/debug/rusqlite' 


success: 0 rows were updated 

success: 1 rows were updated 

success: F0634013D87F0000 

[1] 31467 segmentation fault cargo run 
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History for / salite3.c 


Commits on Feb 10, 2018 


Update to latest version of SQLite3 3.22.0 


gwenn committed on Feb 10 


Commits on Mar 3, 2017 


Update bundled SQLite source to 3.17.0 


Ed jgallagher committed on Mar 3, 2017 


Commits on Jun 15, 2016 


adding sglite v3.13.0 amalgamation 
"A Chip Collier committed on Jun 15, 2016 
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